(remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) New advisory by :foo Affected service(s) : Severity [lmh] : ===== Problem ===== ===== Impact ===== ===== Fix ===== (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) New advisory by : Affected service(s) : Severity [lmh] : ===== Problem ===== chatserver does not close the fd after forking ===== Impact ===== service hangs after a certain number of connections ===== Fix ===== pid = fork(); if(pid == 0) serve(c); else { close(c); if(pid < 0) return -1; } (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) New advisory by : nbd Affected service(s) : einwohnermeldeamt Severity [lmh] : high ===== Problem ===== after forking, the file descriptor is not closed in the main process ===== Impact ===== service will hang after too many connections have been processed ===== Fix ===== in einwohnermeldeamt.c, function: main if(pid == 0) serve(c); else { close(c); if(pid < 0) return -1; } (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) New advisory by : nbd Affected service(s) : einwohnermeldeamt Severity [lmh] : high ===== Problem ===== service does not install a SIGCHLD handler ===== Impact ===== zombie processes are left lying around ===== Fix ===== einwohnermeldeamt.c, add this function: static void sig_child(sig) int sig; { int status; int pid; pid = wait(&status); } call it from main: signal(SIGCHLD, sig_child); (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) New advisory by : nbd Affected service(s) : einwohnermeldeamt Severity [lmh] : high ===== Problem ===== a size value from the client is used to allocate memory on the stack ===== Impact ===== this can cause a stack overflow that could lead to remote code execution ===== Fix ===== function.c: function newdb() recv(s, (char*)&size, 4, 0); // --- add if(size < 0 || size > 4096) return; // --- end (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) New advisory by : nbd Affected service(s) : einwohnermeldeamt Severity [lmh] : high ===== Problem ===== data received for the insert command is passed to the shell unchecked ===== Impact ===== remote shellcode execution ===== Fix ===== insert() function in function.c, add this after variable declarations: /* Check for ' to avoid abitrarty shell code execution */ if(strchr(line, '\'') != NULL) return; (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) new advisory by : nbd Affected service(s) : stk Severity [lmh] : medium ===== Problem ===== cross site scripting bug in search.php (and possibly others) ===== Impact ===== might allow people to steal some data through the browser ===== Fix ===== replace original code: $user = $_REQUEST["user"]; $passwd = $_REQUEST["passwd"]; with: $user = htmlspecialchars($_REQUEST["user"]); $passwd = htmlspecialchars($_REQUEST["passwd"]); (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) new advisory by : nbd Affected service(s) : stk Severity [lmh] : medium ===== Problem ===== script gives away the environment of the webserver ===== Impact ===== might help with other attacks ===== Fix ===== remove test.php in stk directory or comment out the code line in there (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) New advisory by : nbd Affected service(s) : mailserver/retserver Severity [lmh] : high ===== Problem ===== the retserver uses a static 1024 byte buffer, but does not check for overrun on input ===== Impact ===== possible remote code execution ===== Fix ===== retserver main.c, function main(), add this in the while(rl) loop if ((tmp - buf) > 1023) break; (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) New advisory by : nbd Affected service(s) : webserver/stk Severity [lmh] : high ===== Problem ===== accounts file is readable through http ===== Impact ===== compromises flags ===== Fix ===== go to stk/stk, mv accounts ../../ replace the fopen in index.php with: $fp = fopen("../../accounts", "r"); (remove this and the next line) (be sure to read ~/.ctf_advreadme before reporting advisories.) New advisory by : nbd Affected service(s) : stk/backend Severity [lmh] : high ===== Problem ===== kartei file is readable from the webserver ===== Impact ===== can compromise flags ===== Fix ===== stk/backend/stkd.c replace DBNAME with #define DBFILE "../../kartei" then mv kartei to ../../